What Businesses Need to Know About the Tennessee Information Privacy Act (TIPA)
Privacy & Compliance | August 15, 2023
On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act (TIPA) into law, making the Volunteer State the 8th state to pass a comprehensive consumer data privacy law. The law was modeled after Virginia’s VCDPA and shares key definitions, business obligations, and core consumer rights, such as requiring consent for processing sensitive personal data and offering opt-out options for data sales, targeted advertising, and significant profiling decisions. However, there are unique aspects to TIPA that make it a less stringent privacy law than Virginia’s regulation.
In this blog, we’ll cover the scope of the Tennesse Information Protection Act (TIPA), the rights it grants to Tennessee citizens, regulatory requirements for businesses, and how the law will be enforced.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
Who does the Tennessee Information Protection Act Apply to?
The TIPA will apply to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that exceed $25,000,000 in revenue and meet one of the following criteria:
- Control or process the personal information of at least 175,000 consumers; or
- Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.
This threshold is significantly higher than that found in comparable laws in Montana and Virginia, and will likely have the effect of significantly narrowing the range of businesses that must comply with the law. The TIPA also makes significant exemptions from compliance for government entities, insurance companies licensed under state law, nonprofit organizations, financial institutions subject to GLBA, HIPAA, and HITECH-covered entities and business associates, and institutions of higher education.
The TIPA also makes a broad exemption for pseudonymous data, which is not covered by the consumer’s data privacy rights under the law.
What Rights does the Tennessee Information Protection Act provide for Tennessee citizens?
Tennessee’s privacy law grants citizens of the state several new rights, primarily based on the rights put forth by VCDPA, which in turn based its consumer rights on the EU’s General Data Protection Regulation (GDPR). Below, we examine several rights common among US data privacy laws, whether Tennessee’s law provides them, and the specific requirements for each right.
Right to Access
Consumers have the right to confirm whether a controller is processing the consumer’s personal information and to access that information.
No Right to Correction
Consumers have the right to correct inaccuracies in their personal information.
Right to Deletion
Consumers have the right to delete personal information provided by or obtained about the consumer. However, a controller is not required to delete pseudonymous or de-identified data.
Right to Data Portability
Consumers have the right to a copy of their personal information in a portable and readily usable format.
Right to Opt-Out of Data Processing
Under the TIPA, consumers have the right to opt out of the processing of personal information for the purposes of targeted advertising, selling personal information about the consumer, or profiling.
Controllers may not process sensitive data without explicit opt-in consent from the consumer concerned or, in the case of a child, consent from a parent or legal guardian.
Right to Opt-Out of Automated Decision Making
The TIPA does not specifically mention automated decision-making, but the law gives consumers the right to opt out of profiling – defined here as solely automated processing performed to predict personal aspects of the individual – used to make decisions that produce legal or similarly significant effects. However, this right does not apply to pseudonymous data.
What are the Regulatory Requirements for Businesses?
Privacy Notice Requirements
Controllers are required to provide a clear and accessible privacy notice to consumers detailing the types of personal information processed, processing purposes, how consumer rights can be exercised, and any third-party sales of personal information.
Consent Management Requirements
As demonstrated by the ‘right to opt-out,’ Tennessee’s law follows the opt-out consent model common to US laws. However, the law follows an opt-in consent model where sensitive personal information is concerned.
Data Security Requirements
Under Tennessee law, data controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”
Data Protection Assessment Requirements
The TIPA mandates that controllers must perform and document data protection assessments for certain processing tasks that balance their benefits and risks. These activities include targeted advertising, the sale of personal data, profiling, handling of sensitive data, and operations presenting heightened consumer risk. It permits a single assessment for similar operations and considers assessments done under other laws for comparable tasks.
Data Collection and Purpose Limitation Requirements
Controllers will be required to limit the collection of personal information to what is adequate, relevant, and reasonably necessary for the purposes of the processing activity disclosed to the consumer. Controllers must seek further consent to process personal information for purposes other than those initially communicated to the consumer.
How will the law be enforced?
The Tennessee Attorney General has exclusive jurisdiction over the enforcement of the TIPA, and noncompliance with the law can result in civil penalties of up to $7,500 per violation, plus potential treble damages for willful or knowing violations.
Upon notice of violation, a controller will have 60 days to remedy the violation. There is currently no sunset date for this cure period provision.
There is no private right of action under Tennessee law.
Get Compliant with CHEQ Privacy
State privacy laws like this one are pressing new responsibilities—and penalties—on businesses and marketers. CHEQ Privacy offers organizations a solution to help build a fully compliant website and simplify compliance with Tennessee’s law, as well as the UCPA, CTCDPA, VCDPA, CCPA, CPA, GDPR, and any future privacy laws.
Request a demo to see how CHEQ can help your organization meet its compliance and consent management needs.